ESB-2018.1036 - [Win][UNIX/Linux] CA API Developer Portal: Cross-site scripting - Remote with user interaction 2018-04-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1036
        CA20180328-01: Security Notice for CA API Developer Portal
                               5 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           CA API Developer Portal
Publisher:         CA Technologies
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-6588 CVE-2018-6587 CVE-2018-6586

Original Bulletin: 
   https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20180328-01--security-notice-for-ca-api-developer-portal.html

- --------------------------BEGIN INCLUDED TEXT--------------------

CA20180328-01: Security Notice for CA API Developer Portal

Issued: March 28, 2018
Last Updated: March 28, 2018

CA Technologies Support is alerting customers to multiple potential risks with
CA API Developer Portal. Multiple vulnerabilities exist that can allow a
remote attacker to conduct cross-site scripting attacks.

The first vulnerability, CVE-2018-6586, has a medium risk rating and concerns
profile picture management which can allow a remote attacker to conduct stored
cross-site scripting attacks (CWE-79).

The second vulnerability, CVE-2018-6587, has a medium risk rating and concerns
the widgetID variable, which can allow a remote attacker to conduct reflected
cross-site scripting attacks (CWE-79).

The third vulnerability, CVE-2018-6588, has a medium risk rating and concerns
how the apiExplorer handles requests, which can allow a remote attacker to
conduct reflected cross-site scripting attacks (CWE-79).

Risk Rating

+--------------------------+-----------------+
|CVE Identifier            |Risk Rating      |
+--------------------------+-----------------+
|CVE-2018-6586             |Medium           |
+--------------------------+-----------------+
|CVE-2018-6587             |Medium           |
+--------------------------+-----------------+
|CVE-2018-6588             |Medium           |
+--------------------------+-----------------+

Platform(s)

All supported platforms

Affected Products

+-------------------------------------------+---------------------------------------------+
|CVE Identifier                             |Affected Product and Releases                |
+-------------------------------------------+---------------------------------------------+
|CVE-2018-6586                              |CA API Developer Portal 3.5 GA through and   |
|                                           |including CR6                                |
+-------------------------------------------+---------------------------------------------+
|CVE-2018-6587                              |CA API Developer Portal 3.5 GA through and   |
|                                           |including CR6                                |
+-------------------------------------------+---------------------------------------------+
|CVE-2018-6588                              |CA API Developer Portal 3.5 GA through and   |
|                                           |including CR5                                |
+-------------------------------------------+---------------------------------------------+

*CA API Developer Portal was formerly called CA Layer 7 API Portal

Unaffected Products

CA API Developer Portal 4 and newer releases

How to determine if the installation is affected

Customers may use the CA API Developer Portal web interface to find the
product version and then use the table in the Affected Products section to
determine if the installation is vulnerable.

Solution

CA Technologies published the following solution to address the
vulnerabilities.

CA API Developer Portal 3.5:

Update to CA API Developer Portal 3.5 CR7 to address all vulnerabilities in
this security notice.

CA API Management Solutions & Patches

References

CVE-2018-6586 - CA API Developer Portal profile picture stored XSS
CVE-2018-6587 - CA API Developer Portal widgetID reflected XSS
CVE-2018-6588 - CA API Developer Portal apiExplorer reflected XSS

Acknowledgement

CVE-2018-6586, CVE-2018-6587, CVE-2018-6588 - Alphan Yavas from Biznet Bilisim
A.S.

Change History

Version 1.0: 2018-03-28 - Initial Release

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWsW0YYx+lLeg9Ub1AQgGGQ//arL1WrmWca5F8LmB4CC3L6fCm0ShpBv/
4hVKIFPtj66r5crd5Sc+jqLjZpJiZzO7IGssaTfY1Ypom18JVVey5I/XTOCqSjwM
hnrpfxMR7V9k4NHt+lorMOkQsjQeoWeIy54MYZtmW9ZN09+TIihOiY3yN14E92qb
RkCdn1dYKopZw3COrHtz9+2mqcktguOxpDpD6mLjK++orsHhg+qUAJnhYhZw8cfd
Nm0fE4E0r6yA8rL1+WlFwE2DiXvPMppzbX5RAJC0WKMIm36kRNJdCdbspM/O5qSp
e0wFJQCX8MnW1JYtJTJc1yxEs6lZ+2/S8tf4l/CwbmGgQHBSJSryXrqWHh/Lye+g
BTD0sN9nBjnQy8E80SvRSgaBZp2RTVdcKICbm8o211vU2PFHoKmS9G9hakQ4PXPg
PHsh0AIXEYvQV2QRiqBkxQeVk/ygppfae0dPIo82+E0DOPcFAT0Rlme/skXMWFIh
BS02FFCDNyhhAFKFvt0Pjnv66XDN2WBlC9ytI7t70YstoIVZ4lVfPdJ//y6DHDts
AsSSKraJTztp7WDoMN+cCJsauh3h1khwETMLBPWW5Zxaifsi4/pDqP1w1bVw9UVc
3SczilEYbzFIx43Obg7YPzMJWgyvpSC7kka6oX0MjJ9vIBJsQ0F08fiBNwP8vVrm
PdNgra3iAPc=
=OSRc
-----END PGP SIGNATURE-----

« Back to bulletins